-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
83 lines (68 loc) · 2.45 KB
/
middleware.ts
File metadata and controls
83 lines (68 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import { NextRequest, NextResponse } from "next/server";
// Simple in-memory rate limiter (per IP)
const rateLimitMap = new Map<string, { count: number; resetTime: number }>();
const RATE_LIMITS: Record<string, { max: number; windowMs: number }> = {
"/api/ingest": { max: 5, windowMs: 60_000 }, // 5 ingestions per minute
"/api/chat": { max: 30, windowMs: 60_000 }, // 30 chat messages per minute
"/api/repo": { max: 60, windowMs: 60_000 }, // 60 repo checks per minute
};
function getRateLimit(pathname: string) {
for (const [prefix, config] of Object.entries(RATE_LIMITS)) {
if (pathname.startsWith(prefix)) return config;
}
return null;
}
function checkRateLimit(ip: string, pathname: string): boolean {
const config = getRateLimit(pathname);
if (!config) return true;
const key = `${ip}:${pathname.split("/").slice(0, 3).join("/")}`;
const now = Date.now();
const entry = rateLimitMap.get(key);
if (!entry || now > entry.resetTime) {
rateLimitMap.set(key, { count: 1, resetTime: now + config.windowMs });
return true;
}
if (entry.count >= config.max) return false;
entry.count++;
return true;
}
// Periodic cleanup of expired entries
setInterval(() => {
const now = Date.now();
for (const [key, entry] of rateLimitMap) {
if (now > entry.resetTime) rateLimitMap.delete(key);
}
}, 60_000);
export function middleware(request: NextRequest) {
const response = NextResponse.next();
// Security headers
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("X-DNS-Prefetch-Control", "on");
response.headers.set(
"Strict-Transport-Security",
"max-age=63072000; includeSubDomains; preload"
);
response.headers.set(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=()"
);
// Rate limiting for API routes
if (request.nextUrl.pathname.startsWith("/api/")) {
const ip = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
if (!checkRateLimit(ip, request.nextUrl.pathname)) {
return NextResponse.json(
{ error: "Too many requests. Please try again later." },
{ status: 429 }
);
}
}
return response;
}
export const config = {
matcher: [
// Match all paths except static files and _next internals
"/((?!_next/static|_next/image|favicon.ico|logo.webp).*)",
],
};